A simple clean-up where the version references have been unified
all those places I could find now. The versioning scheme used is:
* OpenVPN 2.x
* v2.x
We want to avoid:
* 2.x (2.4 can be just an ordindary decimal number,
OID reference, a version number or anything else)
* OpenVPN v2.x (OpenVPN indicates we're talking about a version)
In addition, several places where it made sense I tried to ensure
the first version reference uses "OpenVPN 2.x" and the following
references in the same section/paragraph uses "v2.x", to set the
context for the version reference.
In Changes.rst modified paragraphs exceeding 80 chars lines where
reformatted as well.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170815205301.14542-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15260.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
... | ... |
@@ -164,25 +164,26 @@ Deprecated features |
164 | 164 |
For an up-to-date list of all deprecated options, see this wiki page: |
165 | 165 |
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions |
166 | 166 |
|
167 |
-- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5. Migrate |
|
168 |
- away from ``--key-method 1`` as soon as possible. The recommended approach |
|
169 |
- is to remove the ``--key-method`` option from the configuration files, OpenVPN |
|
170 |
- will then use ``--key-method 2`` by default. Note that this requires changing |
|
171 |
- the option in both the client and server side configs. |
|
167 |
+- ``--key-method 1`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. |
|
168 |
+ Migrate away from ``--key-method 1`` as soon as possible. The recommended |
|
169 |
+ approach is to remove the ``--key-method`` option from the configuration |
|
170 |
+ files, OpenVPN will then use ``--key-method 2`` by default. Note that this |
|
171 |
+ requires changing the option in both the client and server side configs. |
|
172 | 172 |
|
173 |
-- ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages. Similar |
|
174 |
- functionality is provided via ``--verify-x509-name``, which does the same job in |
|
175 |
- a better way. |
|
173 |
+- ``--tls-remote`` is removed in OpenVPN 2.4, as indicated in the v2.3 |
|
174 |
+ man-pages. Similar functionality is provided via ``--verify-x509-name``, |
|
175 |
+ which does the same job in a better way. |
|
176 | 176 |
|
177 |
-- ``--compat-names`` and ``--no-name-remapping`` were deprecated in 2.3 and will |
|
178 |
- be removed in 2.5. All scripts and plug-ins depending on the old non-standard |
|
179 |
- X.509 subject formatting must be updated to the standardized formatting. See |
|
180 |
- the man page for more information. |
|
177 |
+- ``--compat-names`` and ``--no-name-remapping`` were deprecated in OpenVPN 2.3 |
|
178 |
+ and will be removed in v2.5. All scripts and plug-ins depending on the old |
|
179 |
+ non-standard X.509 subject formatting must be updated to the standardized |
|
180 |
+ formatting. See the man page for more information. |
|
181 | 181 |
|
182 |
-- ``--no-iv`` is deprecated in 2.4 and will be removed in 2.5. |
|
182 |
+- ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. |
|
183 | 183 |
|
184 |
-- ``--keysize`` is deprecated and will be removed in v2.6 together |
|
185 |
- with the support of ciphers with cipher block size less than 128 bits. |
|
184 |
+- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6 |
|
185 |
+ together with the support of ciphers with cipher block size less than |
|
186 |
+ 128-bits. |
|
186 | 187 |
|
187 | 188 |
- ``--comp-lzo`` is deprecated in OpenVPN 2.4. Use ``--compress`` instead. |
188 | 189 |
|
... | ... |
@@ -317,7 +318,7 @@ Maintainer-visible changes |
317 | 317 |
files instead of older ones, to provide a unified behaviour across systemd |
318 | 318 |
based Linux distributions. |
319 | 319 |
|
320 |
-- With OpenVPN v2.4, the project has moved over to depend on and actively use |
|
320 |
+- With OpenVPN 2.4, the project has moved over to depend on and actively use |
|
321 | 321 |
the official C99 standard (-std=c99). This may fail on some older compiler/libc |
322 | 322 |
header combinations. In most of these situations it is recommended to |
323 | 323 |
use -std=gnu99 in CFLAGS. This is known to be needed when doing |
... | ... |
@@ -339,7 +340,7 @@ New features |
339 | 339 |
Security |
340 | 340 |
-------- |
341 | 341 |
- CVE-2017-7522: Fix ``--x509-track`` post-authentication remote DoS |
342 |
- A client could crash a 2.4+ mbedtls server, if that server uses the |
|
342 |
+ A client could crash a v2.4+ mbedtls server, if that server uses the |
|
343 | 343 |
``--x509-track`` option and the client has a correct, signed and unrevoked |
344 | 344 |
certificate that contains an embedded NUL in the certificate subject. |
345 | 345 |
Discovered and reported to the OpenVPN security team by Guido Vranken. |
... | ... |
@@ -396,7 +397,7 @@ User-visible Changes |
396 | 396 |
Bugfixes |
397 | 397 |
-------- |
398 | 398 |
- Fix fingerprint calculation in mbed TLS builds. This means that mbed TLS users |
399 |
- of OpenVPN 2.4.0, 2.4.1 and 2.4.2 that rely on the values of the |
|
399 |
+ of OpenVPN 2.4.0, v2.4.1 and v2.4.2 that rely on the values of the |
|
400 | 400 |
``tls_digest_*`` env vars, or that use ``--verify-hash`` will have to change |
401 | 401 |
the fingerprint values they check against. The security impact of the |
402 | 402 |
incorrect calculation is very minimal; the last few bytes (max 4, typically |
... | ... |
@@ -425,17 +426,18 @@ Version 2.4.2 |
425 | 425 |
|
426 | 426 |
Bugfixes |
427 | 427 |
-------- |
428 |
-- Fix memory leak introduced in 2.4.1: if ``--remote-cert-tls`` is used, we leaked |
|
429 |
- some memory on each TLS (re)negotiation. |
|
428 |
+- Fix memory leak introduced in OpenVPN 2.4.1: if ``--remote-cert-tls`` is |
|
429 |
+ used, we leaked some memory on each TLS (re)negotiation. |
|
430 | 430 |
|
431 | 431 |
|
432 | 432 |
Security |
433 | 433 |
-------- |
434 |
-- Fix a pre-authentication denial-of-service attack on both clients and servers. |
|
435 |
- By sending a too-large control packet, OpenVPN 2.4.0 or 2.4.1 can be forced |
|
436 |
- to hit an ASSERT() and stop the process. If ``--tls-auth`` or ``--tls-crypt`` |
|
437 |
- is used, only attackers that have the ``--tls-auth`` or ``--tls-crypt`` key |
|
438 |
- can mount an attack. (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478) |
|
434 |
+- Fix a pre-authentication denial-of-service attack on both clients and |
|
435 |
+ servers. By sending a too-large control packet, OpenVPN 2.4.0 or v2.4.1 can |
|
436 |
+ be forced to hit an ASSERT() and stop the process. If ``--tls-auth`` or |
|
437 |
+ ``--tls-crypt`` is used, only attackers that have the ``--tls-auth`` or |
|
438 |
+ ``--tls-crypt`` key can mount an attack. |
|
439 |
+ (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478) |
|
439 | 440 |
|
440 | 441 |
- Fix an authenticated remote DoS vulnerability that could be triggered by |
441 | 442 |
causing a packet id roll over. An attack is rather inefficient; a peer |
... | ... |
@@ -1995,7 +1995,7 @@ could be either |
1995 | 1995 |
.B execve |
1996 | 1996 |
or |
1997 | 1997 |
.B system. |
1998 |
-As of OpenVPN v2.3, this flag is no longer accepted. In most *nix environments the execve() |
|
1998 |
+As of OpenVPN 2.3, this flag is no longer accepted. In most *nix environments the execve() |
|
1999 | 1999 |
approach has been used without any issues. |
2000 | 2000 |
|
2001 | 2001 |
Some directives such as \-\-up allow options to be passed to the external |
... | ... |
@@ -2007,7 +2007,7 @@ To run scripts in Windows in earlier OpenVPN |
2007 | 2007 |
versions you needed to either add a full path to the script interpreter which can parse the |
2008 | 2008 |
script or use the |
2009 | 2009 |
.B system |
2010 |
-flag to run these scripts. As of OpenVPN v2.3 it is now a strict requirement to have |
|
2010 |
+flag to run these scripts. As of OpenVPN 2.3 it is now a strict requirement to have |
|
2011 | 2011 |
full path to the script interpreter when running non-executables files. |
2012 | 2012 |
This is not needed for executable files, such as .exe, .com, .bat or .cmd files. For |
2013 | 2013 |
example, if you have a Visual Basic script, you must use this syntax now: |
... | ... |
@@ -2202,7 +2202,7 @@ passwords, or key pass phrases anymore. This has certain consequences, |
2202 | 2202 |
namely that using a password-protected private key will fail unless the |
2203 | 2203 |
.B \-\-askpass |
2204 | 2204 |
option is used to tell OpenVPN to ask for the pass phrase (this |
2205 |
-requirement is new in 2.3.7, and is a consequence of calling daemon() |
|
2205 |
+requirement is new in v2.3.7, and is a consequence of calling daemon() |
|
2206 | 2206 |
before initializing the crypto layer). |
2207 | 2207 |
|
2208 | 2208 |
Further, using |
... | ... |
@@ -2475,7 +2475,7 @@ The |
2475 | 2475 |
parameter may be "lzo", "lz4", or empty. LZO and LZ4 |
2476 | 2476 |
are different compression algorithms, with LZ4 generally |
2477 | 2477 |
offering the best performance with least CPU usage. |
2478 |
-For backwards compatibility with OpenVPN versions before 2.4, use "lzo" |
|
2478 |
+For backwards compatibility with OpenVPN versions before v2.4, use "lzo" |
|
2479 | 2479 |
(which is identical to the older option "\-\-comp\-lzo yes"). |
2480 | 2480 |
|
2481 | 2481 |
If the |
... | ... |
@@ -3774,13 +3774,13 @@ option, this old formatting and remapping will be re-enabled again. This is |
3774 | 3774 |
purely implemented for compatibility reasons when using older plug-ins or |
3775 | 3775 |
scripts which does not handle the new formatting or UTF-8 characters. |
3776 | 3776 |
.IP |
3777 |
-In OpenVPN v2.3 the formatting of these fields changed into a more |
|
3777 |
+In OpenVPN 2.3 the formatting of these fields changed into a more |
|
3778 | 3778 |
standardised format. It now looks like: |
3779 | 3779 |
.IP |
3780 | 3780 |
.B |
3781 | 3781 |
C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com |
3782 | 3782 |
.IP |
3783 |
-The new default format in OpenVPN v2.3 also does not do the character remapping |
|
3783 |
+The new default format in OpenVPN 2.3 also does not do the character remapping |
|
3784 | 3784 |
which happened earlier. This new format enables proper support for UTF\-8 |
3785 | 3785 |
characters in the usernames, X.509 Subject fields and Common Name variables and |
3786 | 3786 |
it complies to the RFC 2253, UTF\-8 String Representation of Distinguished |
... | ... |
@@ -3800,7 +3800,7 @@ carriage-return. no-remapping is only available on the server side. |
3800 | 3800 |
.B Please note: |
3801 | 3801 |
This option is immediately deprecated. It is only implemented |
3802 | 3802 |
to make the transition to the new formatting less intrusive. It will be |
3803 |
-removed in OpenVPN v2.5. So please update your scripts/plug-ins where necessary. |
|
3803 |
+removed in OpenVPN 2.5. So please update your scripts/plug-ins where necessary. |
|
3804 | 3804 |
.\"********************************************************* |
3805 | 3805 |
.TP |
3806 | 3806 |
.B \-\-no\-name\-remapping |
... | ... |
@@ -3816,7 +3816,7 @@ It ensures compatibility with server configurations using the |
3816 | 3816 |
option. |
3817 | 3817 |
|
3818 | 3818 |
.B Please note: |
3819 |
-This option is now deprecated. It will be removed in OpenVPN v2.5. |
|
3819 |
+This option is now deprecated. It will be removed in OpenVPN 2.5. |
|
3820 | 3820 |
So please make sure you support the new X.509 name formatting |
3821 | 3821 |
described with the |
3822 | 3822 |
.B \-\-compat\-names |
... | ... |
@@ -4226,8 +4226,8 @@ will inherit the cipher of the peer if that cipher is different from the local |
4226 | 4226 |
.B \-\-cipher |
4227 | 4227 |
setting, but the peer cipher is one of the ciphers specified in |
4228 | 4228 |
.B \-\-ncp\-ciphers\fR. |
4229 |
-E.g. a non-NCP client (<=2.3, or with \-\-ncp\-disabled set) connecting to a |
|
4230 |
-NCP server (2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers |
|
4229 |
+E.g. a non-NCP client (<=v2.3, or with \-\-ncp\-disabled set) connecting to a |
|
4230 |
+NCP server (v2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers |
|
4231 | 4231 |
AES-256-GCM:AES-256-CBC" set can either specify "\-\-cipher BF-CBC" or |
4232 | 4232 |
"\-\-cipher AES-256-CBC" and both will work. |
4233 | 4233 |
|
... | ... |
@@ -5037,8 +5037,8 @@ response. |
5037 | 5037 |
(required) is a file in OpenVPN static key format which can be generated by |
5038 | 5038 |
.B \-\-genkey |
5039 | 5039 |
|
5040 |
-Older versions (up to 2.3) supported a freeform passphrase file. |
|
5041 |
-This is no longer supported in newer versions (2.4+). |
|
5040 |
+Older versions (up to OpenVPN 2.3) supported a freeform passphrase file. |
|
5041 |
+This is no longer supported in newer versions (v2.4+). |
|
5042 | 5042 |
|
5043 | 5043 |
See the |
5044 | 5044 |
.B \-\-secret |
... | ... |
@@ -5596,7 +5596,7 @@ Write key to |
5596 | 5596 |
.B file. |
5597 | 5597 |
.\"********************************************************* |
5598 | 5598 |
.SS TUN/TAP persistent tunnel config mode: |
5599 |
-Available with linux 2.4.7+. These options comprise a standalone mode |
|
5599 |
+Available with Linux 2.4.7+. These options comprise a standalone mode |
|
5600 | 5600 |
of OpenVPN which can be used to create and delete persistent tunnels. |
5601 | 5601 |
.\"********************************************************* |
5602 | 5602 |
.TP |
... | ... |
@@ -5923,7 +5923,7 @@ flag. |
5923 | 5923 |
.TP |
5924 | 5924 |
.B \-\-dhcp\-release |
5925 | 5925 |
Ask Windows to release the TAP adapter lease on shutdown. |
5926 |
-This option has no effect now, as it is enabled by default starting with version 2.4.1. |
|
5926 |
+This option has no effect now, as it is enabled by default starting with OpenVPN 2.4.1. |
|
5927 | 5927 |
.\"********************************************************* |
5928 | 5928 |
.TP |
5929 | 5929 |
.B \-\-register\-dns |
... | ... |
@@ -6206,7 +6206,7 @@ isprint() function to return true. |
6206 | 6206 |
|
6207 | 6207 |
.B \-\-client\-config\-dir filename as derived from common name or username: |
6208 | 6208 |
Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or |
6209 |
-".." as standalone strings. As of 2.0.1-rc6, the at ('@') character has |
|
6209 |
+".." as standalone strings. As of v2.0.1-rc6, the at ('@') character has |
|
6210 | 6210 |
been added as well for compatibility with the common name character class. |
6211 | 6211 |
|
6212 | 6212 |
.B Environmental variable names: |
... | ... |
@@ -110,7 +110,7 @@ tls-auth ta.key 1 |
110 | 110 |
# Select a cryptographic cipher. |
111 | 111 |
# If the cipher option is used on the server |
112 | 112 |
# then you must also specify it here. |
113 |
-# Note that 2.4 client/server will automatically |
|
113 |
+# Note that v2.4 client/server will automatically |
|
114 | 114 |
# negotiate AES-256-GCM in TLS mode. |
115 | 115 |
# See also the ncp-cipher option in the manpage |
116 | 116 |
cipher AES-256-CBC |
... | ... |
@@ -246,13 +246,13 @@ tls-auth ta.key 0 # This file is secret |
246 | 246 |
# Select a cryptographic cipher. |
247 | 247 |
# This config item must be copied to |
248 | 248 |
# the client config file as well. |
249 |
-# Note that 2.4 client/server will automatically |
|
249 |
+# Note that v2.4 client/server will automatically |
|
250 | 250 |
# negotiate AES-256-GCM in TLS mode. |
251 | 251 |
# See also the ncp-cipher option in the manpage |
252 | 252 |
cipher AES-256-CBC |
253 | 253 |
|
254 | 254 |
# Enable compression on the VPN link and push the |
255 |
-# option to the client (2.4+ only, for earlier |
|
255 |
+# option to the client (v2.4+ only, for earlier |
|
256 | 256 |
# versions see below) |
257 | 257 |
;compress lz4-v2 |
258 | 258 |
;push "compress lz4-v2" |
... | ... |
@@ -6187,7 +6187,7 @@ add_option(struct options *options, |
6187 | 6187 |
else if (streq(p[0], "max-routes") && !p[2]) |
6188 | 6188 |
{ |
6189 | 6189 |
msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored." |
6190 |
- "The number of routes is unlimited as of version 2.4. " |
|
6190 |
+ "The number of routes is unlimited as of OpenVPN 2.4. " |
|
6191 | 6191 |
"This option will be removed in a future version, " |
6192 | 6192 |
"please remove it from your configuration."); |
6193 | 6193 |
} |
... | ... |
@@ -7018,7 +7018,7 @@ add_option(struct options *options, |
7018 | 7018 |
VERIFY_PERMISSION(OPT_P_GENERAL); |
7019 | 7019 |
if (streq(p[1], "env")) |
7020 | 7020 |
{ |
7021 |
- msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN v2.3. " |
|
7021 |
+ msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. " |
|
7022 | 7022 |
"This entry will now be ignored. " |
7023 | 7023 |
"Please remove this entry from your configuration file."); |
7024 | 7024 |
} |
... | ... |
@@ -7864,7 +7864,7 @@ add_option(struct options *options, |
7864 | 7864 |
msg(msglevel, "you cannot use --compat-names with --verify-x509-name"); |
7865 | 7865 |
goto err; |
7866 | 7866 |
} |
7867 |
- msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN v2.5."); |
|
7867 |
+ msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5."); |
|
7868 | 7868 |
compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); |
7869 | 7869 |
#if P2MP_SERVER |
7870 | 7870 |
if (p[1] && streq(p[1], "no-remapping")) |
... | ... |
@@ -7880,7 +7880,7 @@ add_option(struct options *options, |
7880 | 7880 |
msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name"); |
7881 | 7881 |
goto err; |
7882 | 7882 |
} |
7883 |
- msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN v2.5."); |
|
7883 |
+ msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5."); |
|
7884 | 7884 |
compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); |
7885 | 7885 |
compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); |
7886 | 7886 |
#endif |